The Information Commissioner's Office (ICO) is warning firms that they must respect individuals' rights to prevent their data being used for marketing purposes.
- True Telecoms Ltd was fined £85,000 for repeatedly calling people who were registered with the Telephone Preference Service over a two-year period despite being warned not to do so
- The firm continued to make calls even when people specifically asked them not to
- The ICO dealt with over 200 complaints in that time - it had told firms that there is no excuse for making nuisance calls to people who have asked not to receive them
- The General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and reinforces this right
Follow these steps to safeguard data subject rights under GDPR when marketing:
- Make appropriate disclosures to data subjects via privacy notices - so they know who is collecting their information, what it will be used for, whether it will be shared with other organisations and when.
- Inform data subjects upfront of their right to object to data processing - via privacy notices and in your first communications with them.
- Get clear, explicit and unambiguous consent from individuals for any marketing activity - pre-filled boxes, silence or inactivity cannot be taken as a sign of consent. Remember that there are special rules that apply to children's data.
- Implement a process - to ensure that whendata subjects change their mind and withdraw consent to marketing, they are not contacted in future and their wishes are respected.
- Honesty is the best policy - encourage everyone to report any data loss, theft or accidental transfer promptly. Cover ups can be costly under GDPR.
- Have a process to notify the data authority and data subjects if there is a high risk to their rights or freedoms - We have just 72 hours to notify the data authority of a data breach and those affected if there is a high risk to their rights or freedoms. There are significant penalties (€10 million or 2% of global annual turnover) if we don't.
- Only use 'clean' data lists from approved and trusted data suppliers - make sure any in-house lists you use for direct marketing do not contain the names of anyone registered with the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS).